Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ PCI compliance requirements ’


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

Ten Ways To Secure Web Data Under PCI <Tweet this article>
by Robert Lemos
Whether they’re brick-and-mortar or online, merchants find the Payment Card Industry’s requirements for protecting credit card data challenging and confusing.
But all retailers must understand how to protect the credit card and other customer data that comes from online transactions, because their businesses are in cybercriminals’ crosshairs…….
Click here to read more

Gartner VP interview: Mobile and social top challenges for CIOs <Tweet this article>
by Roberta Prescott
Mobile and social technologies represent a departure from the information technologies that CIOs are used to, such as ERP and CRM.  This change is one of the three fundamental questions IT leaders and CIOs are facing, according to Mark McDonald, Gartner group vice president and head of research in Gartner Executive Programs…………. Click here to read more

EMV Migration Gets Answer People <Tweet this article>
by John Adams
Other groups, such as the Smart Card Alliance, are also expanding EMV migration information sharing. The alliance, whose members include card manufacturers, payment processors and financial institutions, operates the EMV Migration Forum, an independent, cross-industry body to discuss issues that require cooperation and coordination across constituents in the payments space…………. Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….
New PCI Rules Will Force Retailers To Set The Risk Level <Tweet this article>
by Walter Conway
PCI version 2.0 changed July, 1. Even though there are actually no new requirements, per se, as of this date, the stated “best practices” for identifying and ranking risk vulnerabilities in Requirement 6.2 became mandatory.  Ignore this change and you may see yourself up a PCI tree later this year……. Click here to read more

Not All Merchants Are Happy with the $7-Billion-Plus Credit Card Settlement <Tweet this article>
by Digital Transactions
No sooner had the ink dried on a proposed settlement of a massive credit card suit than cracks began to appear in what had been an edifice of merchant solidarity. The NACS, a national trade group for  convenience-store operators, on Friday said its board of directors had unanimously rejected the settlement, and on Monday its attorney told Digital Transactions News more merchant dissenters will emerge. “A lot of merchants are very upset about this [settlement],” says Douglas Kantor, a Washington, D.C.-based partner at Steptoe & Johnson LLP……. Click here to read more

Small Kentucky town latest victim of credit card fraud affecting 25% of police force <Tweet this article>
by Avivah Litan
I’ve been hearing from U.S. banks that card fraud continues to be a major issue for them, while online bank account takeover and trojan-based attacks have flattened out. The new trend, they say, is ‘micro-attacks’ that are localized, small in nature and which stay under the radar longer, giving the crooks more time to rack up unauthorized charges.…….Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion!
……………………………………………………………………………………………..………………………………….

Originally featured on Tnooz

Day Three: On the horizon… What’s next for PCI DSS?credit card3

Recently, VISA, one of the founding members of the PCI Council, made headlines by developing global industry best practices for tokenization.

This guidance was provided to merchants, vendors, and service providers in an effort to promote safe merchant environments.

Tokenization is the process through which a credit card’s primary account number is replaced by a proxy, with no mathematical relationship back to the original number.

By replacing the account number, merchants and processors limit the sensitive data that is stored on their systems thereby significantly reducing the risk that that sensitive data could be stolen by hackers.

Could this guidance be a preview to what is on the horizon for PCI DSS?

We hope so.

The PCI Council continues to work on developing guidelines that will help merchants eliminate sensitive card data from payment systems in order to simplify data security and compliance efforts.

Originally featured on Tnooz

Day Two: Easy things you can do that cost little or no money

credit card2

Merchants are easily overwhelmed when it comes to achieving PCI compliance and securing credit card information.

Most already know that they must do more when it comes to protecting their customers’ data, but most feel they don’t have the time or money to do it properly.

Still, without security and trust, customers will start to disappear. But let’s be honest – hotel owners and operators are not security experts.

In today’s economy, most operators are more concerned with keeping their doors open.

So as the PCI Council continues to add more steps and requirements to the standards, most of these operators clearly aren’t able to spend the time, resources nor do they have the expertise to ensure that they are compliant.

So let’s start with some easy steps that can help you adhere to the standards without costing you too much time or money. These are the basics:

  • Block the unwanted: Install a firewall to block unauthorized access to your computer systems.  Consumer-grade firewalls require minimal configuration and cost very little.
  • Patch your systems: When a POS application or system vulnerability is identified, a patch is typically released by the vendor to protect your systems from being exploited.  Most patches can be downloaded and installed automatically and are free.
  • Use strong passwords: Change passwords on a regular basis and ensure you are using a combination of letters, numbers, and special characters.  Passwords should be easy to remember but hard for others to guess.  This is an easy, cost-free security measure.
  • Know where the data is: Determine where credit card data is stored on the network. Is there an inventory? When is it essential to have it stored? Most organizations can probably eliminate 50% of credit card data they store. If credit card data is not stored on your systems, the scope of your PCI compliance audit can be significantly reduced.

Using a multi-layered approach to secure critical assets needs to be a priority. If the hotel’s systems are secure, compliance will fall into place.

By Troy Mechura

Panasonic recently decided to stop supporting the Panasonic System Manager Pro (SMP), leaving approximately 3,500 merchants and Quick Service Restaurants (QSRs) scrambling for an alternative point-of-sale (POS) credit interface. But you can relax SMP merchants and dealers! Merchant Link and Bunt Software have announced the development of a next generation point-of-sale payment interface called SMPLink.

Installation of the SMPLink interface means you can extend and breathe new life into your SMP System and avoid investing thousands of dollars in a new POS system. You will also get the added benefits of TransactionVault®, Merchant Link’s tokenization technology that removes credit card data from the POS system, lowering the risk of data breaches and dramatically reducing PCI compliance efforts.

For more information on SMPLink, please visit Bunt Software. In addition, you can read the full press release here.

Are you concerned about your Panasonic SMP system becoming obsolete soon? Join the discussion and post your comments below.

Hotels Remain Primary Target for Hackers


By Sue Zloth

Hackers are now stealing credit card data from hotels more often than any other industry. With nearly 38% of data-breach investigations in 2009 originating from hotels, the industry must come together and develop standards, beyond PCI, to ensure credit card processing is secure.

In fact, just last week during HITEC, which is one of the largest lodging conferences, discussion around security was buzzing on the show floor.

While we were talking about the importance of security, Destination Hotels and Resort was reporting that it had suffered from a credit card fraud scheme which impacted 21 of its hotels across the United States. Data from more than 700 guests across the country was involved.

According to a statement, Destination said it uncovered malicious software in its credit card processing system, inserted from a remote source. Investigators believe the breach was isolated to locations where credit cards were physically swiped.

Hotels Moving Data Off-Site

Attacks such as these are exactly why so many hotel and lodging chains are working hard to get out of the credit card business. PCI is just not enough. It is simple – having credit card data on-site is enticing to hackers. A layered approach to security including tokenization and encryption which allows for credit card data to be removed from the site gives hoteliers the peace of mind that customers’ information is secure.

That is why some of the world’s largest hotel chains are turning to vendors to get them out of the credit card business. Tokenization is one of the solutions that is currently in use. By tokenizing credit card data, sensitive credit card information is removed from the merchant’s site and onto a PCI DSS certified network. If you remove the data, you can remove the risk.

Is moving data off-site the answer for the hotel industry? Join the discussion and post your comments below.

While at HITEC this week, one thing is resoundingly clear, there is a tremendous amount of buzz about security. The industry needs stronger security in place for payment processing to avoid being caught in the headlines of the major news outlets as the latest victims of a breach.

This is why we are very excited about our ability to now offer the first encryption solution for the hospitality industry. Merchant Link has strengthened transaction security with the combination of end-to-end-encryption and tokenization. For the first time, the hospitality industry will benefit from one solution that secures both data-in-flight and data-at-rest.

Current solutions that use software to intercept transaction data leave a vulnerability that hackers can exploit. Even a nanosecond of vulnerability opens the door to attacks. By protecting credit card data from the point of swipe throughout the entire transaction life-cycle, even this nanosecond of vulnerability is closed. Further, both end-to-end encryption and tokenization are expected to be key solutions highlighted in the October 2010 release of the next PCI DSS standard.

In addition, here are some key points as to why we are excited about this announcement:

• ENCRYPTING WITHIN THE MSR / DECRYPTING OUTSIDE YOUR IT ENVIRONMENT: The new solution encrypts the sensitive credit card information within the actual magnetic stripe reader (MSR) right at the point of swipe, traveling encrypted all the way through the hotel or merchant’s IT environment. The decryption occurs within Merchant Link’s hosted payment gateway outside the merchant’s environment thus reducing the risk of compromised data.

• COMBINING E2EE WITH NEXT GENERATION TOKENIZATION: Layering tokenization with end-to-end encryption greatly improves data security. The new solution works in concert with Merchant Link’s TransactionVault tokenization offering, which has evolved to meet the hotel industry’s unique needs. “TransactionVault Keys” distinguish themselves from other token solutions by remaining associated with the card so they can be tracked for all guest transactions, customer analytics, and marketing purposes. The most widely adopted tokenization solution on the market, TransactionVault is in use at more than 15,000 restaurants, hotels and retail establishments.

• FLEXIBILITY: The solution is designed to integrate with any encrypting device, offering merchant’s flexibility in their hardware solutions. Further, as Merchant Link’s Payment Gateway connects to all major credit card processors, our customers have the freedom to choose the processor that best fits their business.

In addition, Merchant Link is hosting a break out session today that provides a complete overview of this groundbreaking security solution.

Leave a comment if you missed the session and want more details!

Our team at the 2010 HITEC Conference in Orlando, FL

by Tim Kinsella

In today’s cyber-insecure world, merchants are continually under attack from nefarious hackers bent on stealing their customers’ credit card data.  In addition, with the ongoing challenge of meeting PCI Compliance requirements, many merchants can feel like they are in the credit card business – as opposed to being in the business of selling the products and services that fuel their bottom-lines and livelihoods.

Welcome to SecurityCents written by our experts at Merchant Link.  We’ve designed this site to be the premier destination for all things related to transaction security for merchants.  On an ongoing basis, we will be covering topics that aim to help merchants better protect their customer data and meet PCI requirements.

From key insights into encryption and tokenization technologies to case studies of actual merchants taking grand security steps, as well as videos and podcasts that aim to education merchants on how best to secure their transactions, we will cover a wide range of valuable topics.

So, our goal is to get merchants out of the credit card business and SecurityCents will help them reach this milestone.  In addition, we hope to make this a community where merchants can share their thoughts, ideas and best practices.   So, please feel free to share your story and let’s collectively make SecurityCents a successful resource for all merchants.